DNS Setup - Wich solution should I use ?

[Mayo132]

Hey everyone,

iam sorry for asking, but i would like to hear, how you set up your OPNsense DNS.

Some days ago, i was using Pfsense with the plugin PfblockerNG.

Now i sucessfully set up and install the OPNsense on my System - everything works quite well. But at the moment iam tring to find a well working solution for the DNS Resolver and AD blocking feature of pfsense.

So here is my qestion, do you use ADblocking and IP blocking at your Setup? If yes, how do you realized it ?

Here is my Setup.
- Opensense + Zenarmor
- Unbound with additional ADlists.

But i do not know if it is the right way to filter my DNS.  Do you use always DNS over HTTPS ? Or are you using DNS via port 53 ?

Thanks a lot for helping.

I wish everyone a merry christmas ;)

Mario

[bartjsmit]

Hi Mario,

I don't do DNS on OPNsense since I was always told explicitly in firewall training that you need to minimise the attack surface of your security devices. Traffic should only go through a firewall and it should not be a source or a destination of traffic itself, (outside its management network).

My internal DNS ultimately resolves to a Pi-Hole. Horses for courses.

Bart...

[Mayo132]

Hi Mario,

I don't do DNS on OPNsense since I was always told explicitly in firewall training that you need to minimise the attack surface of your security devices. Traffic should only go through a firewall and it should not be a source or a destination of traffic itself, (outside its management network).

My internal DNS ultimately resolves to a Pi-Hole. Horses for courses.

Bart...

Hi, thanks a lot for these hint. Maybe you can tell me the Size of your Network and what machine (Hardware) you are using for the Pihole service ?
=> Do you use Unbound at you Pihole installation? Or are you using external DNS Server?

Iam so sorry, to ask but i would like to see how "other people" build ther Networks. I think building networks is a neverending process - there is always the possibilty to improve the security or something else.

Thanks

[phoenix]

FWIW, I use dns servers on my local home network and not on the firewall. All my servers are virtual machines on vSphere 8 and I use PowerDNS Authoritative Server, PowerDNS Recursor and dnsdist load balancer. I also add a ton of rpz 'files' to these servers to keep my network and browser(s) clean.

[bartjsmit]

Hi, thanks a lot for these hint. Maybe you can tell me the Size of your Network and what machine (Hardware) you are using for the Pihole service ?
=> Do you use Unbound at you Pihole installation? Or are you using external DNS Server?

Iam so sorry, to ask but i would like to see how "other people" build ther Networks. I think building networks is a neverending process - there is always the possibilty to improve the security or something else.

Thanks

My Pi-Hole is virtual on vSphere 8 with about 20 other VM servers and a few physical IoT devices. The firewall runs NAT, OpenVPN server, RADVD and DHCP for the likes of Guest and IoT networks. There's about ten VLAN's in the mix for storage, DMZ, management, etc. WiFi is from multi-SSID AP's to extend the relevant VLAN's to wireless.

Inbound traffic is a bit of web, SMTP and VoIP for our old landline number. Everything else goes over the VPN.

Bart...

[hushcoden]

Hi Mario,

I don't do DNS on OPNsense since I was always told explicitly in firewall training that you need to minimise the attack surface of your security devices. Traffic should only go through a firewall and it should not be a source or a destination of traffic itself, (outside its management network).

My internal DNS ultimately resolves to a Pi-Hole. Horses for courses.

Bart...

Hi Bart,

you made a very good point and I was planning to use my raspberry pi for this puprose by deploying pi-hole + unbound, but then I'm not sure which way to connect the raspberry pi to the network, i.e. to a port of the OPNsense box or? Could you shed some light?

Tia.

[bartjsmit]

Hi Bart,

you made a very good point and I was planning to use my raspberry pi for this puprose by deploying pi-hole + unbound, but then I'm not sure which way to connect the raspberry pi to the network, i.e. to a port of the OPNsense box or? Could you shed some light?

Tia.

First of all, congratulations on owning a Pi, they have become very rare recently (although the green band in rpilocator.com is getting wider again).

You can connect the Pi-Hole to any LAN switch or access point. It does work more reliably on Ethernet but you are unlikely to notice much difference with WiFi.

If you want to plug it directly into an interface on OPNsense, you'll likely need a crossover cable and firewall rules. The consideration for running a switch for your LAN almost starts to hinge on its electricity consumption rather than its purchase price these days  ???

I have way too many switches with my port count getting dangerously close to three figures. They do give you much more info on what's happening on your networks. Cacti and smokeping are marvellous projects.

Bart...

[Mayo132]

So thanks for the replies.

If i get it right so everyone recommend not using the internal DNS Server of the firewalls.

So it should be better to create a new DNS Server within the network - like pi-hole -.

So you configre the firewall like following:

Firewall:
DNS (under Gateways):  1.1.1.1 / 9.9.9.9 (to get the firewall connected to the Internet)
DHCP :   You deploy - the first DNS Resolver is your PIhile -> the second one ? a public Server?

Or do you point the DNS Server of the Firewall also so to your Pihole  ?

[hushcoden]

So thanks for the replies.

If i get it right so everyone recommend not using the internal DNS Server of the firewalls.

So it should be better to create a new DNS Server within the network - like pi-hole -.

So you configre the firewall like following:

Firewall:
DNS (under Gateways):  1.1.1.1 / 9.9.9.9 (to get the firewall connected to the Internet)
DHCP :   You deploy - the first DNS Resolver is your PIhile -> the second one ? a public Server?

Or do you point the DNS Server of the Firewall also so to your Pihole  ?

IMHO the easiest way of doing DNS with OPNsense is to configure Unbound as a recursive DNS server + blocklist (avoid DOT to preserve your privacy, no need to let Quad9 or Cloudflare know which websites you're visiting).

But to follow Bart's valid point, you could use an additional device on your network such as a raspberry pi where you'd install pi-hole (or adguard home) + unbound and using that as your DNS recursive server + ads blocker.

Besides I'm going to install on a VM Technitium and play with it as it seems to be a pi-hole + a recursive DNS server all-in-one - info here

Merry Christmas!

[Mayo132]

IMHO the easiest way of doing DNS with OPNsense is to configure Unbound as a recursive DNS server + blocklist (avoid DOT to preserve your privacy, no need to let Quad9 or Cloudflare know which websites you're visiting).

[...]

Besides I'm going to install on a VM Technitium and play with it as it seems to be a pi-hole + a recursive DNS server all-in-one - info here

Merry Christmas!

Thanks.  first of all Merry, christmas to everyone :) Iam sorry - forget it in the last post.

The Technitium "linux" seems to be verry interessting - i will also have a look at !  Thanks for this information.

But please let me ask a question of DOT -  you said, that i just avoid these to prevent my privacy. But i always thougt, that these methots DOH/ DOT save my privacy, cause the traffic is encrypted.  Maybe you can explain it  ? Or give me a hint, where i can start to "google" for ?

Thanks !

[hushcoden]

But please let me ask a question of DOT -  you said, that i just avoid these to prevent my privacy. But i always thougt, that these methots DOH/ DOT save my privacy, cause the traffic is encrypted.  Maybe you can explain it  ? Or give me a hint, where i can start to "google" for ?

Thanks !

Those methods simply hide your DNS requests from your ISP but those companies (Quad9, etc.) are obviously able to see which websites you request... similarly to VPNs, i.e. your ISP can't see your traffic, but the VPN company can, makes sense ;-)